Driver License Ocr

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it can upload sensitive driver-license files to an external OCR API with only broad auto-trigger guidance.

Install only if you are comfortable sending driver-license images or PDFs to Scnet's OCR service. Before each run, confirm the exact file path and document type, avoid pointing it at unrelated local files, and store SCNET_API_KEY in the local config file with restrictive permissions rather than pasting it into chat.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The auto-trigger guidance says the AI may invoke the skill based on vague description keywords, without clear constraints such as requiring explicit consent, supported document types, or confirmation before uploading a local file. In this context, ambiguous triggering is risky because the skill handles sensitive PII in driver's license images and sends that data to a third-party service.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal